Oracle Web Service Manager

Constraint based Global Policy Attachments (CGPA) - 11gR1

There are quite a few new features that were delivered as part of OWSM 11gR1 PS5 (11.1.1.6.0). One of the new features that was delivered is the ability define Constraint based Global Policy Attachments (or sometimes referred to as Conditional Global Policy Attachments).

In this post - i will provide a brief illustration of the use-case that motivated addition of that feature.

Consider you have a Web Service. In many cases Web Services are exposed both within the internal network of an organization and/or in many cases the same Web Services are exposed outside the organization so that clients such as partners, etc can access these Web Services. So we can categorize Web Services into three categories:

Mixed Web Services i.e. web services that are accessed by both internal and external Web Service Clients.

In many cases customers want to have different levels of security for web services accessed by internal web service clients, compared to those web services that are accessed by external web service clients (ex: Partners or clients accessing services hosted on a public or private cloud).

Web Service Type

Security Level

Internal Web Services

Low

External Web Services

High

Mixed Web Services

?

Here is a pictorial representation of the use-case.

Typically the only way to solve this to use High level security for Mixed Web Services - this results in Internal Web Services also using High level of security. The Conditional Global Policy Attachments feature is designed to address this scenario. It allows Internal access to continue to use Low level security, while External access can continue to use High level security.

Another relevant aspect that customer's typically run into is sometimes Web Services that are flagged as Internal may then need to be exposed Externally and this transition requires changing the Security level. Conditional Global Policy Attachments obviates the need for handling these type of scenarios.